#!/usr/bin/env bash

# Copyright 2021 Flant JSC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

source /shell_lib.sh

function __config__(){
  cat <<EOF
configVersion: v1
kubernetes:
  - name: dexauthenticators
    apiVersion: deckhouse.io/v1
    kind: DexAuthenticator
    queue: "dexauthenticators-list"
    group: main
    executeHookOnEvent: []
    executeHookOnSynchronization: false
    keepFullObjectsInMemory: false
    jqFilter: |
      {
        "name": .metadata.name,
        "namespace": .metadata.namespace,
        "applicationDomain": .spec.applicationDomain,
        "ingressClass": .spec.applicationIngressClassName
      }
kubernetesValidating:
- name: dexauthenticators-unique.deckhouse.io
  group: main
  rules:
  - apiGroups:   ["deckhouse.io"]
    apiVersions: ["v1", "v1alpha1"]
    operations:  ["CREATE", "UPDATE"]
    resources:   ["dexauthenticators"]
    scope:       "Namespaced"
EOF
}

function __main__() {
  newAuthDomain=$(context::jq -r '.review.request.object.spec.applicationDomain')
  newAuthIngressClass=$(context::jq -r '.review.request.object.spec.applicationIngressClassName')

  result=$(context::jq -r --arg domain "$newAuthDomain" --arg class "$newAuthIngressClass" '.snapshots.dexauthenticators[].filterResult | select(.applicationDomain == $domain and .ingressClass == $class)')

  if [ "$result" ]; then
    newAuthNamespace=$(context::jq -r '.review.request.object.metadata.namespace')
    newAuthName=$(context::jq -r '.review.request.object.metadata.name')
    existingAuth=$(echo "$result" | jq -r '.namespace + "/" + .name')
    # Update previously existing DexAuthenticator with the same name allowed
    if [[ "$existingAuth" == "$newAuthNamespace/$newAuthName" ]]; then
      cat <<EOF > "$VALIDATING_RESPONSE_PATH"
{"allowed":true}
EOF
      return 0;
    fi
    cat <<EOF > "$VALIDATING_RESPONSE_PATH"
{"allowed":false, "message":"Desired DexAuthenticator '$newAuthNamespace/$newAuthName' conflicts with the existing DexAuthenticator '$existingAuth'" }
EOF
  else
    # dexauthenticator with such values does not exist
    cat <<EOF > "$VALIDATING_RESPONSE_PATH"
{"allowed":true}
EOF
  fi
}

hook::run "$@"
